Microsoft will officially end support for Windows 10 Home and Pro on 14 October 2025. Continuing to use Windows 10 after this date will directly impact your organisation’s ability to meet Cyber Essentials requirements...
Cyber Essentials requires that all in-scope systems run supported, vendor-patched software. This control is essential because unsupported software creates unavoidable security gaps. The rules are clear: operating systems must still be receiving security updates, critical patches must be applied within 14 days of release, and unsupported operating systems are not allowed on internet-connected devices. If even one device in scope is found running an end-of-life OS, the assessment will automatically fail.
Microsoft has confirmed that Windows 10 (Home, Pro, Pro Education, Pro for Workstations) will reach end of support on 14 October 2025. Version 22H2 is the final release, and until then, monthly security updates will continue. After this date, Microsoft will no longer provide free security updates or patches. In practical terms, Windows 10 becomes a legacy product, and any vulnerabilities discovered after October 2025 will remain unpatched.
If your organisation continues to use Windows 10 beyond October 2025, it will no longer receive security patches, leaving new vulnerabilities open to exploitation. From a compliance perspective, this automatically results in a Cyber Essentials failure because unsupported software is not permitted. It also increases the attack surface, as cybercriminals actively target systems that have reached end of life. Furthermore, many insurers and clients require evidence of supported software. Continuing to use Windows 10 after support ends could therefore place insurance coverage and contractual commitments at risk.
Upgrade to Windows 11
Migrate compatible devices to Windows 11 as soon as possible.
Begin hardware checks now to see which machines can support the upgrade.
Refresh or Replace Hardware
Devices that cannot meet Windows 11 requirements should be replaced.
Alternatively, consider other supported operating systems (e.g. Linux, ChromeOS Flex) if suitable for your environment.
Use Extended Security Updates (ESU) as a Bridge
Microsoft will offer paid Extended Security Updates for Windows 10 from October 2025.
This can keep devices technically supported for a limited time, but costs rise each year and only critical patches are provided.
Treat ESU as a temporary solution, not a long-term plan.
Isolate or Decommission Legacy Devices
If upgrade or ESU isn’t possible, remove devices from scope by disconnecting them from the internet.
Use strict network segmentation or retire the devices altogether.
Keep Records for Certification
Maintain an asset inventory, upgrade logs, and proof of ESU licensing where used.
This evidence will be needed at assessment.
Failing to prepare for this deadline risks failing renewal altogether. For organisations dependent on certification for government or supply chain contracts, this can result in being excluded from opportunities and breaching client requirements. More significantly, unsupported systems carry a much higher risk of cyber attack, data breach or ransomware, all of which could be avoided by addressing the Windows 10 issue ahead of time.
The 14 October 2025 deadline for Windows 10 end of support is not negotiable. Unsupported systems are not permitted under Cyber Essentials, and organisations must take action well in advance to protect both compliance status and security posture. By planning upgrades, hardware refreshes, or alternative solutions now, organisations can avoid disruption, reduce risk, and maintain Cyber Essentials certification.